csrf

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 由 翻译 强力驱动 问题: I am using Symfony2.0 and FOSUserBundle, and would like to disable the csrf token on my login form. I have disabled the csrf protection globally on my website in my config.yml: framework : csrf_protection : enabled : false This is working well, there is no csrf field added to my forms. However, this does not apply to the login form. On this form only, I get an "Invalid CSRF Token" error if I don't include the token in the form with: How can I disable the CSRF token on the login form? 回答1: If you just go to your security.yml file

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 由 翻译 强力驱动 问题: Firstly I'm a complete noobie with Symfony 2. The question sounds simple, if I try and put some context into why and how I need this it will start to get confusing. In essence I've created a form, which I manually process, validate and insert using Doctrine etc. I am manually creating the form within a controller action (it's built dynamically from retrieved values from another object). I'm assuming there maybe better ways to do this, but as I'm new to Symfony and days of trawling the net, I can't see any solutions to what I need

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: This is a question about generating CSRF tokens. Usually I'd like to generate a token based off of a unique piece of data associated with the user's session, and hashed and salted with a secret key. My question is in regards to generating tokens when there is NO unique user data to use. No sessions are available, cookies are not an option, IP address and things of that nature are not reliable. Is there any reason why I cannot include the string to hash as part of the request as well? Example pseudocode to generate the token and embed it: var

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: I am using a third party library which spawns a raw XMLHttpRequest with new XMLHttpRequest . This bypasses my CSRF protection and gets shot down by my rails server. Is there a way to globally add a predefined CSRF token ( $('meta[name=csrf-token]').attr('content') ) to ALL instances of XMLHttpRequest at instantiation time? 回答1: I'd recommend to intercept calls to the send method: (function() { var send = XMLHttpRequest.prototype.send, token = $('meta[name=csrf-token]').attr('content'); XMLHttpRequest.prototype.send = function(data) { this

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: I have commented out csrf processor and middleware lines in settings.py : 122 123 TEMPLATE_CONTEXT_PROCESSORS = ( 124 'django.contrib.auth.context_processors.auth', 125 # 'django.core.context_processors.csrf', 126 'django.core.context_processors.request', 127 'django.core.context_processors.static', 128 'cyathea.processors.static', 129 ) 130 131 MIDDLEWARE_CLASSES = ( 132 'django.middleware.common.CommonMiddleware', 133 'django.contrib.sessions.middleware.SessionMiddleware', 134 # 'django.middleware.csrf.CsrfViewMiddleware', 135 'django

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: I'm a PHP developer learning Ruby on Rails by reading Michael Hartl's tutorial . Here is a quote from the book, referring to csrf_meta_tag : ...the Rails method csrf_meta_tag [prevents] cross-site request forgery (CSRF), a type of malicious web attack. Don’t worry about the details (I don’t); just know that Rails is working hard to keep your application secure. The thing is, I'm genuinely curious. How does inserting csrf-param and csrf-token meta tags prevent CSRF? I tried Googling, but couldn't find anything. 回答1: csrf_meta_tag is basically

I have the following code, that was working fine in Django 1.2.5: from django.views.decorators.csrf import csrf_exempt class ApiView(object): def __call__(self, request, *args, **kwargs): method = request.method.upper() return getattr(self, method)(request, *args, **kwargs) @csrf_exempt class MyView(ApiView): def POST(self): # (...) return HttpResponse(json.dumps(True), mimetype="text/javascript") But when I upgraded to Django 1.4, I started to get a 403 forbidden, with a "CSRF verification failed" message. Why is that @csrf_exempt decorator not working? URL definition is: from django.conf

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: After configuring Spring Security 3.2, _csrf.token is not bound to a request or a session object. This is the spring security config: And it renders the next html: The result is 403 HTTP status: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. UPDATE After some debug, the request object gets out fine form DelegatingFilterProxy, but in the line 469 of CoyoteAdapter it executes request.recycle(); that erases all the attributes... I test in Tomcat 6.0.36, 7.0.50 with JDK 1.7. I have not understood

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: Beginner at Django here, I've been trying to fix this for a long time now. I do have 'django.middleware.csrf.CsrfViewMiddleware' in my middleware classes and I do have the token in my post form. Heres my code, what am I doing wrong? from django.contrib.auth.forms import UserCreationForm from django.shortcuts import render_to_response from django.http import HttpResponseRedirect from chartsey.authentication.forms import RegistrationForm from django.template import RequestContext from django.core.context_processors import csrf def register